jump to navigation

Massachusetts data privacy law, outwards and upwards September 28, 2011

Posted by Brandon in Tenet Forum - The Law.
Tags: , , , , , ,

Last week, Massachusetts Attorney General Martha Coakley announced that she may be investigating Apple Inc. for breaches of personal data laws in Massachusetts, and is otherwise stepping up enforcement.  With 480 reports of data breaches this year, Coakley has estimated that 1 in 3 Massachusetts residents are victims of personal data breach.  Her comments leads some to believe what some may consider an obscure law will be enforced not just in Massachusetts, but nationwide.

In 2007, Massachusetts enacted a new law in Chapter 93H to protect security breaches of personal data.  Under the law and its accompanying regulations, anyone who owns or licenses personal information of Massachusetts citizens must develop a plan to protect that personal data, report security breaches, and dispose of personal information.  Ostensibly, this means that any company in any jurisdiction, worldwide, may breach the law if they maintain accounts containing personal data of Massachusetts’ residents.

Chapter 93H was spurned on in part by a major data breach at the Massachusetts company TJX, in 2007.  In that incident at least 45.7 million credit and debit card numbers were stolen by hackers who accessed the TJX computer systems.  However, the regulations promulgated under Chapter 93H did not go into effect until March 2010, and the first fine was not issued until a year later.

The Massachusetts regulations for the data protection laws, 201 CMR 17, sought to change the conception of personal data for the commonwealth, and are written to be technology neutral.  The law is enforced by the Massachusetts Attorney General’s Office, and there is no private right of action under Chapter 93H. Katz v. Pershing, No. 10-12227-RGS, at 9 (D. Mass. August 23, 2011).  This lack of a private right of action in Chapter 93H may be to blame for a lack of enforcement, as public resources have been strained since the laws went into effect.  Nonetheless, the regulations are prescriptive rather than reactionary to illegal conduct by requiring companies to draft and maintain a “written information security plan”, or a WISP.

Under a company’s WISP, there must be procedures for how employees access and use client’s personal information, and a specific description for how personal information will be protected.  “Personal Information” is defined as the first and last name of the Massachusetts citizen, combined with a social security number, credit card number, account number or state ID number.  It is not clear at this point whether numbers for documents such as rental applications are considered personal information, or if  personal information must be protected after the person is deceased.

Liability for breach of the Massachusetts data protection laws extends to contractors and agents of the company, and penalties may be severe, extending to each and every breach.  Where breaches accumulate, the damage awards can be high.  For example, the Briar Group, a conglomerate of Boston area restaurants and taverns, settled for $110,000 with the government last year.  If you are a company which handles personal data, it may be advisable to keep detailed and clear records of your compliance with the law, including your procedures for an internal breach and reporting mechanisms.  Other solutions may include encrypted emailing with customers, security assessments, policy development and employee trainings.

Some commentators note that a private right of action may exist for breaches of data privacy under Chapter 93A as an unfair and deceptive trade practice.  Outside Massachusetts, while there may be practical enforcement and jurisdictional issues with policing Chapter 93H and 201 CMR 17, Coakley could be signaling that her office will bring the issue to the courts.  Her comments should signal companies both in and outside Massachusetts to tighten up their privacy policies.

Do you agree or have other points on this topic?


License or Contract?: the form of the Open Source license September 7, 2011

Posted by Brandon in Tenet Forum - The Law.
Tags: , ,

In looking at open source licenses, you may discover that there are basic assumptions overlooked in most of the research involving the General Public License, or GPL.  This question never seems to be asked: is the GPL an actual license, or is it a contract?  The answer may have implications for enforcement and remedies when the GPL is alleged to be breached.  Fortunately, there is some discussion of the topic, but the issue is yet to be resolved.  Problems may lie ahead for the open source community if these agreements are ultimately challenged.

Copyright v. Contract

Copyrighted works are often licensed, not sold.  Copyright licenses are governed by federal law, where the remedy for breaching an agreement is an injunction, attorney’s fees and statutory damages.   Contract law however is governed by state law, which can garner damages for violations of express and non-express terms, as well as specific performance.  The consequences of this is that if the GPL is deemed a license, the owners of the open source code may not be able to enforce the clauses governing free distribution or regulating the integrity of the code.

There is a small but growing debate whether the GPL is a license or a contract.  Some believe that the GPL is a type of contract known as a browsewrap agreement.  At lease one court has taken this view, noting that some terms may be viewed as covenants under a contract, not license conditions, for example by number of users.  See Netbula LLC v. Storage Technology Corp., 2008 WL 228036 (N.D. Cal., 2008). Otherwise, it could also be a unilateral contract without express acceptance, until the GPL code is modified or distributed, where the agreement then becomes a bilateral contract.

However, this view is undermined by the fact that there are many ambiguous or missing terms in the GPL, such as a termination provision. Also,  browsewrap agreements are not recognized in all jurisdictions.  More importantly, when it comes to damages, contracts may not be a preferable view of the GPL from the licensor’s point of view.  This is because there would be no expectation damages.  The licensor of open source code does not expect or demand any financial compensation.  There are no expected earnings to be made from the open source code itself.  It is given away for free.  For that reason, plaintiff’s may argue that the GPL is not a contract at all.

Unsurpringly, the enforcers of the GPL [the Free Software Foundation] and some circuit courts view the GPL as a license. See Eben Moglen, Enforcing the GNU GPL, The Free Software Foundation, September 10, 2001;  Jacobsen v Katzer, 535 F.3d 1373 (Fed. Cir., 2008).  The courts rest their analysis on the fact that open source licenses state “provided that”, which implies a condition to a license, not a covenant to a contract.  This is the property rights theory.  Any material breach of the GPL would result in revocation of the license, which leads to copyright infringement liability for the defendant licensee.  By viewing the GPL as a license, the owners of the code can refuse to extend the right to use for any subsequent user of GPL code.  This may get around issues of privity, where users who do not agree to the GPL directly with the owners of code may be free to use it.

However, the remedy would still be limited to damages and an injunction from further use.  There is a concern that the licensor could not enforce the distribution of his or her code by simply withdrawing consent to those who threaten to breach the GPL terms.  Specific performance is not available under the copyright act, only under contract, and even then it is a disfavored remedy.  Therefore, there is no easy answer for whether the GPL is a license or contract, because the law is always catching up to the technology and implications for both have downsides.


Massachusetts for the moment has shelved the issue.  Until specific legislation has passed, Massachusetts courts will treat software licenses as contracts subject to the UCC.  See I. Lan Systems v. Netscout Service Level Corp 183 F. Supp. 2d 328, 331 (D. Mass., 2002).  At this time, there is no such legislation in Massachusetts, and therefore this state may not be a favorable venue for defending the GPL.

Open Source Licenses Primer August 17, 2011

Posted by Brandon in Tenet Forum - The Law.
Tags: , , , , , , , ,

I want to begin this blog with a topic that sparked my interest in this webpage’s creation: open source software.  Open source is a concept which encourages creating and proliferating computer source code at no cost, in order to allow anyone to experiment with and modify the code.  Historically, copyrightable works were protected under the theory that profitability was found in scarcity and privatization. The open source movement has challenged that theory by showing that innovation can also exist through free dissemination, which can ultimately lead to collateral financial gain.  A great example is the Linux operating system, where companies such as Red Hat have emerged to provide technical support.

By disseminating the source code free of charge, more extensive feedback and advertising is available while keeping distribution costs at almost zero.  Further, the code could end up becoming a de facto standard for whatever function it serves if enough people become familiar with and rely on that software.  However, open source software presents complicated legal problems regarding copyright ownership, and therefore infringement.  To address these issues, open source developers release their code subject to licenses which retain ownership in the code and any derivative modifications.  While the enforceability of these licenses has yet to be directly challenged, it appears that end users are generally assenting to the terms.

Guidelines and Examples of Open Source Licenses

Open source code is always governed by a license, which makes the technology monetarily free to use so long as that user conforms to the terms of a license. Open source or public licenses are available in standard forms, such as the General Public License [GPL], Lesser General Public License [LGPL], Mozilla, MIT, Apache and BSD licenses, or an open source developer can draft his or her own terms. While the open source community is amorphous by nature, the Open Source Initiative [OSI], a non-profit with the aim of promoting awareness and the importance of open source, released a list of conditions which must exist in the license to conform to open source principles. 

To be considered open source software, OSI gives an open source definition that states that the technology must meet the following ten criteria: 1) Free redistribution, 2) Inclusion of source code, 3) Permit derivatives, or modifications to the work, 4) Maintain integrity of the source code, 5) No discrimination against persons or groups, 6) No discrimination against fields of endeavor, 7) Distribution of the license, 8. License must be specific to the product, 9) License must not restrict other software, and finally, 10) the license must be technology neutral.  While these criteria are only advisory and not enforceable, they help guide the analysis of open source licenses.

The standard form open source licenses range from being quite restrictive, meaning that the user must make the code and any modifications to it widely available, to being less restrictive, meaning that the user may retain more control and ownership over the modifications.  The most restrictive license is the GPL, which dictates that in addition to retaining the original copyright notice and disclaimer, the licensed “work” and any works “based on the program” must be disseminated at no cost.  Ostensibly, this would mean that source code from proprietary files which are statically or dynamically linked to the GPL’d code must be made freely available.  Linking in computer programming is the combining of object modules, which are compiled from source code, to form executables, and can be done either statically or dynamically.  Statically linking files physically combines the contents of the files and binds them into a new executable.  Dynamically linking files however only reference each other, and are only brought together when the executable is running.

Hence under the terms of the GPL, if GPL code in a run-time library were somehow dynamically linked to a proprietary program like Microsoft Word, for example, the entire Microsoft Word program arguably should be given away for free.  An FAQ produced by the Free Software Foundation states statically linked files are derivatives under the GPL, but the also considers a qualified scope of dynamically linked files to be within the GPL.  The FAQ states dynamically linked files that “make function calls to each other and share data structures” create a single program, and are thus derived from the GPL.  Further, the FAQ claims that dynamically linked files where “communication between them [are] limited to invoking the ‘main’ function of the plug-in” may be derivatives.  However, this restrictive of an interpretation of GPL where dynamically linked files are “infected” by the GPL, when GPL code is not reproduced, has drawn criticism and may not be legally enforceable.  See Van Lindberg, Intellectual Property and Open Source: A Practical Guide to Protecting Code (O’Reilly Media, 2008).

Less restrictive open source licenses include the Mozilla Public License and the LGPL.  Mozilla requires that modifications to the code become subject to the license, and the LGPL permits proprietary licensing of modifications if a suitable shared library mechanism is used for linking with the modified library.  The least restrictive, i.e. most permissive, licenses include the Apache, Revised BSD and MIT licenses, where all that is required to be performed is the retention of copyright notice attributing the original code authors, and in the case of the Apache license identifying modifications as your own.

Other Forms of Open Source

Most people who are familiar with the open source movement are aware of free and open source software, or FOSS. However, some developers have expanded the world of open source to hardware as well, known as OSHW. Open source hardware is a relatively new phenomenon and not widely discussed, and appears to use existing open source software licenses for distribution.

%d bloggers like this: